An Internet Based Anonymous Electronic Cash System

Transcription

1 Research Paper American Journal of Engineering Research (AJER) e-issn: p-issn : Volume-4, Issue-4, pp Open Access An Internet Based Anonymous Electronic Cash System Israt Jahan 1, Mohammad Zahidur Rahman 2, K M Akkas Ali 3, Israt Jerin 4 1,2 Department of Computer Science and Engineering, Jahangirnagar University, Dhaka, Bangladesh 3 Institute of Information Technology, Jahangirnagar University, Dhaka, Bangladesh 4 Britannia University, Paduar Bazar, Bissaw Road, Comilla, Bangladesh ABSTRACT: There is an increase activity in research to improve the current electronic payment system which is parallel with the progress of internet. Electronic cash system is a cryptographic payment system which offers anonymity during withdrawal and purchase. Electronic cash displays serial numbers which can be recorded to allow further tracing. Contrary to their physical counterparts, e-cash have an inherent limitation; they are easy to copy and reuse (double-spending). An observer is a tamper-resistant device, issued by the Internet bank, which is incorporated with the Internet user s computer that prevents double-spending physically, i.e., the user has no access to her e-cash and therefore he cannot copy them. In this paper, we shall present an anonymous electronic cash scheme on the internet which incorporates tamper-resistant device with user-module. KEYWORDS- E-cash, Double-spending, Tamper-resistant device, Blind signature, Internet banking. I. INTRODUCTION Electronic commerce is one of the most important applications for the internet. The prerequisite for establishing an electronic marketplace is a secure payment. Several electronic protocols have been proposed to implement different kinds of payment: credit card payments, micropayments, and digital e-cash. Cryptographically, the most challenging task is the design of digital e-cash for every payment system mentioned above we have the requirement that the payment token has to be unforgeable. In 1982, D. Chaum [7] presented the notion of blind signatures that offer the possibility to design electronic e-cash. The bank signs a set of data chosen by the user which guarantees both the unforgeability of the e-cash and their anonymity, since the bank does not get any information about data it signed. But blind signatures solve only half of the problem: since digital data can be copied, a user can spend a valid e-cash several times (double-spending) if the deposit of e- cash is not done on-line [3]. To validate each e-cash on-line means that the vendor has to contact the bank in every purchase. From the efficiency s point of view this is undesirable. Therefore, we restrict our attention to off-line systems, i.e., the vendor has to check the validity of e-cash without contacting the bank. An e-cash is constructed in a way that allows its owner to spend it anonymously once, but reveals his identification if he spent it twice [5]. From a theoretic point of view this solution is quite elegant. But in practice it is unsatisfactory. A way to prevent the user physically from copying her coins is to store essential parts of a coin in a tamperresistant device called the observer [7]. II. AN E-CASH MODEL WITH TAMPER-RESISTANT DEVICE An internet based anonymous off-line electronic e-cash scheme [1, 8 and 9] with tamper resistant device consists of three collections of probabilistic, polynomially- bounded parties [2], a bank B, users U i, and shops S j, and four main procedures: withdrawal, blind signature issuing, payment and deposit (Figure 1). Users and shops maintain separate account with the Internet Bank [10]. - When user (U i ) needs e-cash, then Bank issues e-cash from user s account in his (user s) tamper-resistant device T i over an authenticated channel. - When user (U i ) wants to spend this e-cash, it is validated by bank (B) by blind signature issuing protocol. - U i spends an e-cash by participating in a payment protocol with a shop S j over an anonymous channel, and - S j performs a deposit protocol with the bank B, to deposit the user s e-cash into his account. w w w. a j e r. o r g Page 148

2 Bank (1) Withdrawal protocol (2) Blind signature issuing protocol (3) Payment protocol (4) Deposit protocol (1) (2) (4) Tamper-resistant device Service provider User (3) Figure 1: Model of e-cash with tamper-resistant device III. AN INTERNET BASED ANONYMOUS E-CASH SYSTEM We shall now represent an anonymous off-line e-cash transaction system on the Internet. 3.1 The Bank s setup protocol - All arithmetic is performed in a group G q of prime order q chosen by bank (B). The bank generates independently at random four numbers g 0, g 1, g 2, h G q and a number x Z q. The bank also determines a collision-free hash function H(.) such as to make the Schnorr signature scheme secure [4]. A public key that is issued by the bank to the user is a pair ( h i, a i ) G q *G q. - The number x is the secret key of the bank, and the corresponding public key is the tuple (g 0, g 1, g 2,h, G q, H(.)). A certificate of the bank on the public key ( h i, a i ) of the user is a triple (z i, c, r ) such that c =H(h i, a i, z i, g o r h -c, (h i ) r (z i ) -c ). - The secret key that corresponds to the public key (h i, a i ) of the user is a pair ((β 1, α 1 ), (β 2, α 2 )), such that h i =g 1 β1 g 2 α1 and α i = g 1 β2 g 2 α The actions The Internet bank will be denoted by B, the user by U i, and the service provider by S j. The computer of U i is denoted by C i, and his tamper-resistant device by T i Account establishment protocol U i installs on his computer, a software program for performing the protocols. When U i opens an account with B, the following procedure takes place. - C i generates independently at random a secret key x i2 Z q, and stores it. C i sends h i2 = g 1 xi2, to B, together with an appropriate verifiable description of the identity of U i. It then generates independently at random a secret key x i1 Z q for U i. B lists this number (h i2 ) in its so-called account database, together with at least a balance variable that keeps track of the amount of money that U i has in its account with B, and the description of U i s identity. - B then issues to U i a tamper-resistant device T i which has stored in non-volatile memory at least the following items: the numbers x i1 and g 1, and a description of G q ; code to perform its role in the protocols; and a counter variable, from now on denoted by balce, that keeps track of the amount of money that is held by U i. - B makes h i1 =g 1 xi1, known to U i ; this is the public key of T i. B then computes h i =h i1 h i2 (the joint public key of T i and U i and stores h i in his account database along with its other information on U i ). The bank B does not know the joint secret key, (x i1 +x i2 ) mod q, of T i and U i. - Finally, B computes (h i g 2 ) x, which will henceforth be denoted by z i known to U i. w w w. a j e r. o r g Page 149

3 3.2.2 Withdrawal protocol The withdrawal of electronic cash appears as follows: T i is assumed to have in common with B a secret key k. This secret key, and a sequence number, seq, (which has been set to some initial value, such as zero), have been stored by B before issuing T i to U i. In addition, the description of a one-way function f 1 (.) has been stored by B in T i. B decreases the balance, balce, of U i by amount. It then increases seq by one, and transfers v f 1 (k, seq, amount) to T i by sending it to C i. T i receives v from C i. It then computes f 1 (k, seq, amount), and compares it for equality with v. If equality holds, it increases seq by one, and balance by amount. The withdrawal protocol appears as follows: Tamper-resistant Device (T i ) Bank (B) balce balce - amount Verify ( v)----- v f 1 (k, seq, amount) v = f 1 (k, seq, amount) seq seq+1 then, seq seq+1 balce balce + amount Table 1: The withdrawal protocol The Pre-processing of blind signature issuing protocol Payment of an amount requires U i to provide the service provider with a signature on the amount (and additional data). To prepare for the withdrawal of a blind signature on e-cash, T i and C i perform the following off-line processing. - Ti generates independently at random a number w i R Z q, and sends a i g 1 wi to C i. T i stores w i for later use in the payment protocol. - C i generates independently at random a vector (α 1,α 2, α 3,α 4, α 5 ) Z q 5, such that α 0 mod q. It then computes h i (h i g 2 ) α1, a i = a i α1 g 1 α2 g 2 α3, z i z i α1, temp 1 h α4 g 0 α5, temp 2 (z i ) α4 (h i g 2 ) α1α5. - C i stores (h i, a i ) and (α 1, α 2, α 3 ) and temp 1, temp 2, α 4 and α 5 for the later use in the payment protocol The blind signature issuing protocol The issuing of blind signature [6] is done by means of the following on-line certificate issuing protocol between C i and B. The blind signature issuing appears as follows: Compouter(C i ) Bank(B) w Z q w a g 0 c H(h i, a i,a temp 1,b α1 temp 2 ) c c +α 4 mod q (a,b) (c) (r ) The pre-processing of payment protocol Table 2: The blind signature issuing protocol b (h i g 2 ) w r cx + w mod q To pay to S j an amount, T i and C i perform the following pre-processing. - C i determines the specification, denoted by spec, of the payment. This number is a concatenation, in a standardized format, of that is to be transferred, the time and date of transaction, and an identification number that is uniquely associated with S j. Additional data fields may be included in variable spec. C i then sends (h i, a i ) and spec to T i. - T i verifies that w i is still in memory, and thatbalance exceeds amount (T i can read this value from spec). If this is the case, it computes d=h(h i,a i,spec) and r 1 =dx i1 + w i mod q. It then decreases balance by amount, erases w i from memory, and sends r i to C i. - C i computes d=h(h i, a i,spec), and verifies that g 1 r1 h i1 -d =a i. If this is the case, C i computes r 1 =α 1 (r 1 +dx i2 )+ α 2 mod q, r 2 dα 1 +α 3 mod q. The pre-processing of payment protocol appears as follows: w w w. a j e r. o r g Page 150

4 User computer(c i ) Tamper-resistant device(t i ) (h i, a i ) d=h(h i, a i,spec) balce balce - amount (r 1 ) d=h(h i, a i,spec) verify g r1 -d 1 h i1 = a i r 1 α 1 (r 1 +dx i2 )+ α 2 mod q r 2 dα1+α3 mod q r 1 =dx i1 +w i erases w i Table 3: The preprocessing of payment protocol The payment protocol The actual payment is done by means of the following on-line payment protocol between C i and S j. - C i sends (h i, a i ),(z i,c,r ),(r 1,r 2 )to S j. - S j computers d in the same way as did C i and T i and accepts the transferred information if and only if h i 1,c =H(h i, a i, z i, g o r h -c, (h i ) r (z i ) -c ) and g 1 r1 g 2 r2 (h i ) -d =a i - The payment protocol appears as follows: Computer(C i ) Service Provider(S j ) -- (h i, a i ),(z i,c,r ),(r 1,r 2 ) Check d=h(h i, a i,spec) c =H(h i, a i, z i, g o r h -c, (h i ) r (z i ) -c ) g 1 r1 g 2 r2 (h i ) -d = a i The deposit Protocol Table 4: The payment protocol At a suitable time, preferably when network traffic is low, S j sends the payment transcript, consisting of (h i,a i ), (z i, c, r ), (r 1,r 2 ) and spec, to B. B verifies that spec has been formed correctly by S j. If this is the case, it searches its so-called deposit database to find out if it has stored (h i,a i ) before. There are two possible situations: 1. (h i,a i ) is not in the deposit database. B then computes d=h(h i, a i,spec), and verifies the payment transcript by verifying that h i 1, c =H(h i, a i, z i,g r o h -c, (h i ) r (z i ) -c ) and g r1 1 g r2 2 (h i ) - d =a i. If these verifications hold, B stores (h i, a i ),(z i,c,r ) and (r 1,r 2 ) in the deposit database, and credits the account of S j by amount. 2. (h i,a i ) is already in the deposit database. In that case a fraud has occurred. If spec of the already stored information is identical to that of the new payment transcript, then S j is trying to deposit the same transcript twice. Otherwise, B verifies the transcript as described insituation 1. If the verification holds (the payment transcript is valid), then the certified public key (h i,a i ) must have been double-spent with overwhelming probability. Since, B now has at its disposal a pair (r 1,r 2 ) from the new transcript and a pair, say (r 1,r 2 ), from the already deposited information, it can compute (r 1 - r 1 )/( r 2 - r 2 ) mod q. B then searches its account database (r1 - r1 )/( r2- for joint public key g r2 ) 1. Since, the identity of the corresponding account holder is known to B, appropriate legal actions can be taken. The number (r 1 - r 1 )/( r 2 - r 2 ) mod q serves as the proof of B that the traced user has compromised his tamper-resistant device and has double-spent the certified public key (h i,a i ). w w w. a j e r. o r g Page 151

5 IV. DISCUSSIONS In the e-cash scheme with tamper-resistant device, the user s secret is shared between the user and his observer. The combined secret is a modular sum of the two shares, so one share of the secret reveals no information about the combined secret. Co-operation of the user and the tamper-resistant device is necessary in order to create a valid response to a challenge during a payment transaction. It prevents the tamper resistant device from leaking any information about the user. V. CONCLUSIONS We presented electronic cash system which provides a physical defense against double-spending detection. To guarantee the prevention of double-spending, the bank has to be sure that the tamper-resistant device cannot be tampered with by the users. The use of a tamper-resistant device is a kind of first line of defense. If the user cannot manipulate the device, the tamper-resistant device can prevent double-spending. If the user succeeds in tampering the observer, the double-spending detection identifies the user afterwards. REFERENCES [1] Ogiela, M.R., & Sulkowski, P. Improved Cryptographic protocol for digital coin exchange. 15th International Symposium on Soft Computing and Intelligent Systems (SCIS), 2014, [2] Miers, I., Garman, C., Green, M., & Rubin, A.D. Zerocoin: Anonymous Distributed E-Cash from Bitcoin. IEEE Symposium on Security and Privacy (SP), 2013, [3] Jiangxiao Zhang., Zhoujun Li., Hua Guo., & Chang Xu. Efficient Divisible E-Cash in the Standard Model. IEEE International Conference on Green Computing and Communications (GreenCom), 2013, [4] Yun-kyung Lee., Seung-Wan Han., Sok-joon Lee., Byung-ho Chung., & Deok Gyu Lee. Anonymous Authentication System Using Group Signature. International Conference on Complex, Intelligent and Software Intensive Systems, 2009, [5] Israt Jahan., Mohammad Zahidur Rahman., & Md. Golam Moazzem. Review of Anonymous Electronic Payment System. Journal of Electronics and Computer Science, 2003, [6] Tsiounis, Y.S. Efficient Electronic Cash: New Notions and Techniques. Northern University, Massachusetts. PhD Thesis, [7] Chaum, D., & Pedersen, T. Wallet Databases with Observers. In proceedings of CRYPTO, 1993, [8] Brands, S. Untraceable Off-line Cash in Wallets With Observers. In proceedings of CRYPTO, 1993, [9] Schnorr, C.P. Efficient Signature Generation by Smart Cards. Journal of Cryptology, 1991, 4(3), [10] Chaum, D. Blind Signatures for Untraceable Payments. Advances in cryptology-proceedings of Crypto 82, Lecture Notes in Computer Science, Springer-Verlag, 1982, w w w. a j e r. o r g Page 152